[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] php security..

Subject: RE: [cobalt-security] php security..
From: "malcolm wild" <cobaltsec@xxxxxxxxxxx>
Date: Fri, 29 Jun 2001 23:09:14 +0100
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

If you PHP daemon runs as a service it will have a set of ownership
privileges assigned
e.g. if it runs as root it can read/write to anything, if it runs as httpd
it can read anything which has got -r-- at the end of the file permissions.

This means only root can read/write it there are no group or everyone
privileges

[folder][owner][group][everyone][username][group]
/root/      rwx-------               root root

I'd suggest changing the PHP daemon UID to something less dangerous or
enabling a php conf on a per site basis and restricting the base directory
to their /home/sites/siteX/ folder

However I'm no PHP guru, so keep pushing the list members for some extra
help, but it might give you an indication

good luck :)

-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of Kai Schantz,
Euroweb
Sent: 30 June 2001 04:56
To: Cobalt-Security@List. Cobalt. Com
Subject: [cobalt-security] php security..


Hi, everybody

I was surfing one of the better known resource sites on php script when I
came over a script that said that It would make my browser window look like
explorer (file manager) and I could download everything besides root only
files and se the hole servers structure and browse around like I was using a
file manger. All this with installing it in my web dir as normal user and
permissions. And then open the browser an go to the url you innstalled it as
and open "page.php" AND THAT IT DID!!
And everyone that has the URL to the php page can do the same, surf around
on your server and download.

The browser window you get when installing this php-script as a normal user
inside your web dir is like using av very fast ftp or filemanger. The User
gets permission to brows all the server dir/maps except the root folder.

Actually I liked it because I got a very good understanding where everything
was placed and could download everything others had on their sites. But this
I don?t want my users to be able to do!!
I see it as a security hole.

Think of what your competitors can do..Download all your customers? files
with their scripts and their complete web solution..and not nice for our
customers to now that everybody can download your complete site even files
that are not linked to, and their scripts.

I made a webpage where i have posted some screen shots taken when i use this
php page.
www.webdomene.com/phpsec

If sombody wants the script with the purpose to find a solution on how
preventing this and similar script to be used, I be happy to send it to
them.

Best regards..

Kai Schantz
Euroweb AS

_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security

Follow-Ups:
- SV: [cobalt-security] php security..
  - From: Kai Schantz, Euroweb

References:
- [cobalt-security] php security..
  - From: Kai Schantz, Euroweb

Prev by Date: Re: [cobalt-security] raq3 no admin interface
Next by Date: SV: [cobalt-security] php security..
Previous by thread: [cobalt-security] php security..
Next by thread: SV: [cobalt-security] php security..

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index